-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add alternate minimal Dockerfile #434
base: master
Are you sure you want to change the base?
Conversation
@stephenpaulger when linking GO statically |
@tmeckel I did start with scratch but quickly realised I needed a shell to use it in CI, it only adds a very small amount by using alpine, mark has a CI mode so I assume that's a common use case. |
@stephenpaulger now you've made me curious! Why'd you need shell support in the container image? Is it because of |
@tmeckel No, not mark itself. If you use gitlab you might have a CI config something like. deploy-to-confluence:
stage: deploy
image:
name: kovetskiy/mark:9.11.1
script:
- mark --ci=true --drop-h1 -p $CONFLUENCE_TOKEN --space $CONFLUENCE_SPACE --base-url $CONFLUENCE_BASEURL --files "*.md" The part within https://docs.gitlab.com/ee/ci/docker/using_docker_images.html |
a7746f4
to
a3717c2
Compare
The new docker-headless-shell image is using bookworm-slim, which I think should be fine for this purpose. If the libraries installed by docker-headless + chrome make this feel big, I'd suggest to parametrize the runtime image instead of having a second Dockerfile. |
The main issue for me is not the size directly but the detected CVEs. If I build and scan each image with trivy. docker build --platform=linux/amd64,linux/arm64 -t mark:9.12.0 -f Dockerfile .
trivy image mark:9.12.0
docker build --platform=linux/amd64,linux/arm64 -t mark:9.12.0-alpine -f Dockerfile.minimal .
trivy image mark:9.12.0-alpine
I don't think for either image that it's likely those CVEs are reachable from mark especially as I'm not using mermaid but not having them in the image means I don't need to check or justify their presence. I'm not very familiar with parameterising base images, I understand it can be passed with an ARG but the main image relies on apt-get which isn't present in alpine. |
I've added a more minimal Dockerfile that uses an alpine base image, the resulting image is under 50MB and contains no software with known vulnerabilities.
The standard mark image requires chrome in order for mermaid-go to work so this Dockerfile isn't a replacement it is an alternative that should work for anyone that doesn't need mermaid-go. Unfortunately the chromedp base image is large and contains vulnerable versions of software that, as far as I can tell, have no bearing on mark's functionality, rather than make an assessment for each vulnerability I thought it'd be easier to avoid those unused pieces of software.
I've made no effort to make this fail gracefully should someone try to use mermaid-go but I think for any other use case it should work just as well. I chose alpine as the base image as scratch doesn't have a shell which is useful when using the image in CI, busybox may be another option.